On July 1, new state privacy laws took effect in Connecticut, Arkansas, and Utah. The old excuse, "we're too small to worry," just stopped working. Here is what the new state privacy laws actually cover, the first step you can take today, and an hour with me to walk through the rest.
Save My Seat →Thursday, July 9, 2 PM ET. No charge, and it is not a pitch-fest.
The problem: Picture a small law firm. Three lawyers, one office manager, a client list they are proud of. For years they figured privacy laws were a big-company headache. On July 1, that changed, and they do not even know it yet. The new state privacy laws reached down and pulled in businesses their size.
The solution: You do not have to sort this out alone, and most of it is plainer than the legal talk makes it sound. By the end of this you will know who the new state privacy laws now cover, the one habit they all point to, and three things you can start today.
In this article
Three states switched on new rules the same day. Connecticut is the big one. Arkansas and Utah are narrower, but they matter too. Together, the new state privacy laws moved the line on who has to pay attention.
Connecticut updated its Data Privacy Act (the change is called SB 1295). The old rule covered businesses that handled the personal information of 100,000 people. The new line drops to 35,000. That alone sweeps in a lot of smaller firms. And here is the kicker: the size test goes away entirely if a business sells personal data, or if it holds "sensitive data." Connecticut's attorney general enforces all of it.
Arkansas passed a children's and teens' online privacy law (HB 1717). It requires a parent's consent for kids 12 and under. For ages 13 to 16, the teen or a parent can consent. Targeted ads aimed at minors are not allowed. Utah (HB 418) added data-portability rights, mostly around social media, so people can move their data from one platform to another.
Two words in the Connecticut law do the heavy lifting, and both trip up owners who feel safe. Let me put them in plain terms.
"Sells personal data" is broader than it sounds. It does not just mean trading names for cash. It means sharing personal data for value of any kind. Send your customer list to a marketing partner? Let an ad tool track your website visitors? That can count. Plenty of small firms "sell" data without ever thinking they did.
"Sensitive data" removes the size exemption. If you hold any of it, the 35,000 line no longer protects you. Sensitive data now includes Social Security numbers, financial account information, biometric or genetic data, and even "neural data." A law office holds Social Security numbers. A financial planner holds account information. A clinic holds both. Hold any, and you are in.
There is a new AI-training duty, too. If a business feeds personal data into training an AI tool, it now has to disclose that. In plain terms: if you pour customer information into some new AI helper, you have to say so.
So the small healthcare, law, or financial firm that felt safe under the old 100,000 line is exposed at 35,000, and often exposed no matter the count. That is the whole point. Size no longer saves you.
Let me be straight, because I will not pretend to be your lawyer. The legal fine print here needs a real attorney, and you should call yours. What I can help with is the tech side: knowing what personal data you actually hold, and where it flows. You cannot protect what you have never looked at.
Read the new state privacy laws back to back, and one thing sits under all of them. You have to know what personal data you hold, and where it goes. A privacy notice has to describe it honestly. An opt-out has to actually let people say no. Neither is possible if you have never mapped your own data.
This is the trap. Most small firms have data spread everywhere. A spreadsheet on one laptop. A cloud folder nobody cleaned up. An old marketing tool still holding a list. You cannot write a truthful privacy notice about data you forgot you had. You cannot protect it either. Size no longer saves you, and neither does not-looking.
You do not need a lawyer to start these, and you do not need to wait for me. Three steps, and they are the floor everything else stands on.
Ask three plain questions. Do you touch the personal data of 35,000 people or more? Do you share data with any marketing or ad partner? Do you hold Social Security numbers, account details, or health data? A yes to any one likely puts you under the new state privacy laws. Write the answers down.
Have someone read your public privacy notice against what you actually do. They should match. If people can ask you to stop selling or sharing their data, the opt-out has to work and be easy to find. Your attorney checks the legal wording. You make sure it tells the truth.
Make a simple list. What personal data do you keep, on which machines, in which apps, and who else touches it? This is the step almost everyone skips, and it is the one every rule circles. You cannot protect, or promise, what you have never looked at.
Do the first two today, and you have built the floor. The third, seeing what personal data lives on your own machines and what is open around it, is the piece I will walk you through live.
You started your business to serve clients, not to become a privacy officer. Feeling behind on this is normal, and it is not a personal failing.
I learned this one up close. My own dad fell for a phishing email, and I have spent my life in this work. Scammers got remote access to his computer and went hunting for his financial documents. My step-mother noticed something was off. I jumped in from across the country and stopped them before they reached his bank logins. We were lucky. We caught it in time.
I have spent more than 35 years (since 1991) watching how these attacks work. FBI InfraGard, zero ransomware on any client I have managed. The lesson never changes: the data you forgot about is the data that gets you. Seeing what you hold is simple once someone shows you, and that part I made easy.
The first two steps are yours to do today. Seeing what personal data lives on your machines, and what is open around it, is what I will walk you through, live, in plain English. Here are the three steps.
✅ No charge, and nothing to buy on the call.
✅ It is not a pitch-fest. You will leave with real steps whether or not you ever buy a thing.
✅ Plain English. No legal jargon, and no talking down to you.
✅ Come live if you can. That is where I answer your questions. Saved a seat but can't make it? I'll send you the replay.
✅ I am not your lawyer. For the legal fine print, talk to your attorney. I handle the tech side: what you hold and where it goes.
✅ Straight talk. I will show you what is "open" and what you "hold," never "you're now compliant."
Two reasons. First, state privacy laws spread. What one state requires this year tends to become the pattern others copy next. Connecticut, Arkansas, and Utah are the front of a line, not the whole of it. Second, if you hold data on anyone who lives in one of these states, their state's rules can reach you.
An hour now saves a scramble later. And if what you hold is already tidy, you will walk away knowing it.
You cannot protect what you have never looked at, and you don't have to look alone. Spend one hour with me. Watch me run a Reveal-Scan, the A-to-F look at what is open on a computer, and walk away with a short list you can hand to your team. The next privacy question stops being a knot in your stomach and becomes something you already handled.
Save My Seat →Thursday, July 9, 2 PM ET. No charge, and it is not a pitch-fest.
Can't wait for Thursday? You can run the same Reveal-Scan on your own computer, no card needed.
Want this kind of plain-English security news every week? Sign up for Craig's Insider Notes at CraigPeterson.com.
Join thousands of security professionals who receive Craig Peterson's Insider Show Notes and cybersecurity updates.
Join 10,000+ cybersecurity professionals